search menu icon-carat-right cmu-wordmark

CERT Coordination Center


GNU Radius accounting service fails to properly handle exceptional Acct-Status-Type and Acct-Session-Id attributes

Vulnerability Note VU#277396

Original Release Date: 2004-02-05 | Last Revised: 2004-02-05

Overview

The GNU Radius accounting service fails to properly handle packets with exceptional Acct-Status-Type and Acct-Session-Id attributes.

Description

GNU Radius is a software package used for remote user authentication and accounting. There is a vulnerability in the way the rad_print_request() function processes a UDP packet containing Acct-Status-Type and Acct-Session-Id attributes that do not specify values.

Impact

An attacker who is able to send a UDP packet to the service could cause the Radius daemon (radiusd) to crash. No authentication is required to exploit this vulnerability. The Radius accounting service typically listens on 1813/udp or 1646/udp.

Solution

Upgrade

Upgrade to GNU Radius version 1.2.


Block or Restrict Access

Block or restrict access to Radius accounting services (typically 1813/udp or 1646/udp) from untrusted networks such as the Internet.

Vendor Information

277396
Expand all

GNU Radius

Notified:  February 05, 2004 Updated:  February 05, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This vulnerability has been addressed in GNU Radius 1.2. The latest version of GNU Radius can be found at


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was reported by iDEFENSE Labs.

This document was written by Damon Morda and Art Manion.

Other Information

CVE IDs: None
Severity Metric: 7.94
Date Public: 2004-02-04
Date First Published: 2004-02-05
Date Last Updated: 2004-02-05 21:05 UTC
Document Revision: 15

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.